Subject matter experts routinely perform analyses of the vulnerability of communications network-connected elements to unauthorized access. Typically, these examinations are performed in one of two ways.
The first method involves a direct measurement of the vulnerability of a service to a particular method of access, or threat. These evaluations, often called penetration tests, are performed from a variety of entry points as well as for a set of known threats. This approach has a number of drawbacks. To begin with, the examination is largely limited to threats that are well known to the evaluator. In practice, this also implies that the methods used to access the service are within the experience or capabilities of the analyst to be included in the analysis. Moreover the set of threats and evaluation points may be further limited so that they can be analyzed within a given set of time. Another drawback is that most communications network administrators are reluctant to allow an evaluator to execute threats that may cause a disruption or damage to the elements on their network.
Because penetration tests can be detrimental to a network, some users have migrated towards deterministic models of their networks to evaluate their security posture. One of the more popular approaches is to develop an attack graph that describes the various paths and states that an opponent might take when accessing a network. These models, while powerful, suffer from a number of issues as well. The primary concern is the complexity of such an approach. Where this is particularly apparent is when networks are dynamic. Services come and go as users start applications or when virtual machines are started or stopped. Moreover, sensitive data are continuously in flux as they are transmitted between services. These deterministic attack graph models cannot easily account for changes in the model as they do not include any sense of time. Even when a small degree of variability is allowed, these deterministic models would still require either a significant number of simplifying assumptions to be tractable, or conversely, a user would need to restrict the evaluation in the same ways penetration tests are limited.
The second more qualitative approach is for a subject matter expert to evaluate the threats to a particular target found in a network. The analyst assesses the security of the services from the target working outward looking for potential weaknesses. Specifically, the analyst considers methods that an opponent might use to access the target. They then document the scenarios that an attacker might undertake as well as possible mitigation strategies. This approach has many of the same drawbacks as the deterministic penetration test style. Most significantly, the examination is limited to threats that are well known to the evaluator. Moreover the methods for attack considered are limited to the experience and capabilities of the analyst. Yet this approach is favored by many experts because of its ability to identify risks to key targets rather than attempting to discover the myriad number of potential vulnerabilities that exist in a network at any one time. Unfortunately, the time intensive nature of this type of assessment only allows for the evaluation of a very limited number of incoming access points connecting to the target service. Moreover, the qualitative nature of this evaluation does not necessarily satisfy customers that it is accurate.
Yet, the sheer number of possible opponent-traversal combinations makes it difficult for an analyst to quantitatively examine each one individually. Breaking this mode of examination down further, to properly characterize the probability of unauthorized access to a network, the analyst must include a wide variety of routes to the target including acceptable-use approaches, leveraging service misconfigurations, or exploiting service vulnerabilities.
In addition to the opponent-traversal combinations there are further complications that an analyst must consider. Opponents can acquire items during an intrusion that improve their ability to reach a target. This type of action changes the threat scenario as it is played out. This evolving threat scenario may then also consist of thousands of similar, orchestrated individual attacks compounding its complexity.
Scenarios can adapt to network elements that change state regularly in expected ways, (e.g., routine data processing flow, changing policies and procedures) and in unexpected ways like device failures and crashes. And of course, these evolving states, unauthorized access scenarios and opponent-traversal combinations still fail to account for the constant chance of a zero-day vulnerability.
Once the combinations of these threat types (opponent-traversal, unauthorized access, and expected or unexpected state changes) have been identified and examined, this comprehensive threat profile must be compared against existing best practices and system administration procedures, taking in to account high-value targets related to business specific threats regarding security, confidentiality and trade secrets.
Any oversight, whether calculated or inadvertent, in this network data aggregation and analysis process can lead to compounded errors that render the entire process futile. Only with a tool that is able to sort, prioritize, and re-analyze scenarios again and again, is the analyst able to make best use of their subjective subject-matter expertise to produce quantitative results.